Mark and Amit, On 4/10/18 2:21 AM, Mark Thomas wrote: > On 9 April 2018 23:29:43 BST, Amit Pande <amit.pa...@veritas.com> wrote: >> Some more debugging here and I got some stuff working here. >> >> Only one question: >> >> It is not really clear from the documentation of "clientAuth" >> >> "Set to true if you want the SSL stack to require a valid certificate >> chain from the client before accepting a connection. Set to want if you >> want the SSL stack to request a client Certificate, but not fail if one >> isn't presented. A false value (which is the default) will not require >> a certificate chain unless the client requests a resource protected by >> a security constraint that uses CLIENT-CERT authentication. See the SSL >> HowTo for an example. That SSL HowTo also contains tips on using >> per-user or per-session certificate-based clientAuth." >> >> So, if I am using a clientAuth="false" and relying on "CLIENT-CERT" >> configuration, does that mean browsers won't prompt users to supply the >> certificate when a protected resource is accessed? > > In that scenario the browser will prompt the user for a certificate if > everything is correctly configured. > > However, it is possible that the browser will determine that it has no > matching certificates and therefore decide not to display the certificate > prompt.
Also, sometimes browsers will "remember" your choice from a prior interaction during the same browser session. So for example if you have clientAuth="want" and you press "No/Cancel/[escape]/[close window]" the browser may "remember" that you don't want to present a certificate. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org